Symantec Directory : Vulnerability Solution for Symantec Directory world writable log files
search cancel

Symantec Directory : Vulnerability Solution for Symantec Directory world writable log files

book

Article ID: 272921

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

Some Symantec Directory log files have public write permission (666):

-bash-4.2$ ll /opt/CA/Directory/dxserver/logs/dxagent.*
-rw-rw-rw-. 1 dsa etrdir  34782 Aug 10 07:41 /opt/CA/Directory/dxserver/logs/dxagent.access.log
-rw-r-----. 1 dsa etrdir  68802 Aug  8 23:59 /opt/CA/Directory/dxserver/logs/dxagent.access.log.2023-08-08
-rw-rw-rw-. 1 dsa etrdir 107338 Aug  9 23:55 /opt/CA/Directory/dxserver/logs/dxagent.access.log.2023-08-09
-rw-r-----. 1 dsa etrdir   1093 Aug 31 10:06 /opt/CA/Directory/dxserver/logs/dxagent.error.log
-rw-r-----. 1 dsa etrdir   1093 Aug  7 09:17 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-07
-rw-r-----. 1 dsa etrdir   1093 Aug  8 10:13 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-08
-rw-rw-rw-. 1 dsa etrdir   2927 Aug 10 07:45 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-10
-rw-r-----. 1 dsa etrdir   1093 Aug 14 09:42 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-14
-rw-rw-rw-. 1 dsa etrdir   2927 Aug 20 10:55 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-20
-rw-r-----. 1 dsa etrdir   1093 Aug 21 10:57 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-21
-rw-rw-rw-. 1 dsa etrdir   2927 Aug 28 17:57 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-28
-bash-4.2$

A file that can be written by any user on the system could be a serious security flaw.

Please provide a solution for the above vulnerability.

Environment

Release : 14.1

Cause

We must assure you that 666 (i.e. "-rw-rw-rw-") permission on the dxagent log files would not impact Directory services in any way. The only impact of such permissions being used is that any ordinary Linux user can modify or delete the affected log files.

Please note that only dxagent logs are affected, and not the DSA logs.

DSA logs contain a lot of useful information, and depending on logging configuration may also contain some confidential data, like for instance user DN hence all DSA logs have 640  (i.e. "-rw-r-----") permissions and thus are not vulnerable.

The dxagent logs do not contain a lot of useful information (unless temporarily set them to DEBUG level in case of dxagent troubleshooting), so it is not really a big security flaw if they are compromised.

This is currently being investigated further. In the mean time, following (in the Resolution below) can be applied as a workaround.

 

Resolution

We can propose the following workaround to rectify this vulnerability:

  1. Change the permissions of existing dxagent logs:

    1. logon into the machine where Directory is installed as 'dsa' user
    2. Change permissions:
      chmod 640 /opt/CA/Directory/dxserver/logs/dxagent.*

  2. Setup a cron job to run after midnight every day (because dxagent logs are rolled at midnight), which will change the logs permissions:

    1. logon into the machine where Directory is installed as 'dsa' user
    2. run this command to edit cron list:
      crontab -e
    3. Add the following line to crontab:
      02 00 * * * chmod 640 /opt/CA/Directory/dxserver/logs/dxagent.*

      The above crontab item will run at 12:02am every night, and will change dxagent logs permission to 640